The Hacker News — Cyber Security, Hacking, Technology News

The Dridex banking trojan that is widely being used by cyber criminals to distribute malware onto users’ machines has now been found distributing a security software.

A portion of the Dridex banking Trojan botnet may have been hacked or compromised by an unknown Whitehat Hacker, who replaced the malicious links with Avira Antivirus installers.

What is Dridex Banking Trojan? How it Works?

Dridex malware – also known as Bugatand Cridex – is believed to have been created by cyber criminals in Eastern Europe in an effort to harvest online banking details. Even after a high-profile takedown operation in late 2015, the Dridex botnet seems to be active again.

The Dridex virus typically distributes itself through spam messages or emails that include malicious attachments, most often a Microsoft Office file or Word document integrated with malicious macros.

Once the malicious file has been clicked, the macros download and install the main payload of the virus – the trojan program itself – from a hijacked server, which installs and runs on the victim's computer.

The Dridex trojan program then creates a keylogger on the infected machine and manipulates banking websites with the help of transparent redirects and web-injects.

This results in stealing victim's personal data like usernames and passwords, with an ultimate aim to break into bank accounts and siphon off cash.

Hacker replaces Trojan with Anti-virus

However, the recent Hack Surprises: Instead of distributing banking trojan, a portion of the Dridex botnet currently seems to be spreading legitimate copies of the free anti-virus software from Avira, as the company has announced itself.

Avira believes that the white hat hacker or hackers may have hacked into a portion of infected web servers using the same flaws the malware authors used and then replaced the malicious code with the Avira installer.

So, once infected, instead of receiving Dridex malware, the victims get a valid, signed copy of Avira antivirus software.

"We still don't know exactly who is doing this with our installer and why – but we have some theories," said Kroll. "This is certainly not something we are doing ourselves."

Although the motives behind including the Avira software is still unclear, these kinds of actions are considered to be illegal in many countries, said Kroll.

What can be done to protect From Malware Attacks?

The guidance for preventing yourself from being a part of the Dridex Banking Trojan botnet is:

Ensure you have an updated antivirus program running on your PC, which should be able to intercept the malicious attachments before they are opened.

Duuzer Infects via Spear Phishing or Watering Hole Attacks

It is currently unclear how the malware is being distributed, but according to Symantec Researchers, the most obvious routes are Spear Phishing campaigns and Watering Hole attacks.

Once infected, Duuzer checks if the system is running on a virtual machine like VMWare or Virtual Box to ensure that security researchers are not analyzing the malware before performing its malicious routines.

Moreover, the Trojan identifies the existing software configured to run on startup and takes the name of that legitimate software on an infected computer and spread across the system.

Duuzer's first sets up a backdoor on the machine, allowing attackers physical access to the system.

The attackers then manually run commands through the backdoor on affected computers. They can perform a variety of operations mentioned above.

"Based on our analysis of Duuzer, the attackers behind the threat appear to be experienced and have knowledge about security researchers' analysis techniques," researchers said. "Their motivation seems to be obtaining valuable information from their targets’ computers."

'Brambul' Worm and 'Joanap' Trojan also Detected

Research also discovered a dropper that infects computers with a worm known as Brambul and a Backdoor Trojan called Joanap. Both of them mostly work together and typically used to log and monitor infected systems remotely.

It is still unclear how the dropper is being distributed; however, it is believed that it comes from malicious emails.

The worm detected as W32.Brambul uses brute-force attacks via the Server Message Block (SMB) protocol to spread from one computer to another.

Once infected, the Brambul worm connects to random IP addresses on the local network and authenticates itself through SMB using common passwords, like 'password,' 'login,' '123123,' 'abc123' and 'iloveyou.'

Besides attacking other computers via SMB, Brambul creates a network share on compromised computers, usually the system drive, and then sends the computer's details and login credentials to a predefined email address.

Connection between Duuzer, Brambul and Joanap

According to Symantec, Duuzer has a connection with both Joanap and Brambul...But how?

Once infected, Brambul drops other pieces of malware on infected machines, either Duuzer or Joanap.

Systems infected with Brambul have been used as command-and-control (CnC) servers for Duuzer and have also been compromised with Duuzer.

If Joanap is dropped, the Trojan will register itself as a local OS service, named "SmartCard Protector." The Trojan opens a backdoor on the compromised machine and starts:

Sending specific files to the attackers

Saving or deleting files

Downloading and executing files

Executing or terminating processes

Propagating instructions it receives from the C&C server

How to get rid of this ARMY?

Though Duuzer, Brambul, and Joanap are just a small selection of many threats affecting South Korean organizations with a very low-risk level.

But still, it is recommended for the users and businesses to keep themselves safe and protected by following these steps and prevent their systems from being compromised with this malware:

Use a firewall to block all incoming connections from the Internet to services that shouldn't be publicly available.

You should, by default, deny all incoming connections and only allow services you explicitly want to offer to the outside world.

Use Complex Passwords as it makes it difficult to crack.

Turned OFF Bluetooth if it is not required for mobile devices. Also, turn off other services not required at present.

Train your employees not to open email or messages attachments unless they are expecting them.

There's another Mac OS X Trojan out in the wild, and it might be heading your way.If you open the file, which could appear as an emailed attachment or as a Web link, the document, written in traditional Chinese ideograms, does indeed display. But a Trojan silently installs itself in the background as you try to sort out centuries-old territorial claims.The Trojan doesn't really do anything yet. But F-Secure, the Finnish security firm that discovered it, notes that it lays the groundwork for much more sophisticated attacks against Macs.

The malware in question has been identified as Trojan-Dropper:OSX/Revir.A, which installs a backdoor, Backdoor:OSX/Imuler.A, onto the user's Mac. Currently, however, the backdoor doesn't communicate with anything. The command-and-control center for this particular malware is apparently a bare Apache installation, which has been sitting at its current domain since May of this year. Because of this, users who might fall victim to this attack aren't likely to see many ill effects for the time being, but that could change if the files end up spreading to a wider audience.

Usually, backdoors are employed to communicate with a remote command-and-control (C&C) server, which is capable of instructing the payload to siphon off data from the infected computer back to the attackers. However, F-Secure found that the C&C server is a bare Apache installation, not yet capable of communicating with the backdoor.

Botnets, like Mirai, that are capable of infecting Linux-based internet-of-things (IoT) devices are constantly increasing and are mainly designed to conduct Distributed Denial of Service (DDoS) attacks, but researchers have discovered that cybercriminals are using botnets for mass spam mailings.

New research conducted by Russian security firm Doctor Web has revealed that a Linux Trojan, dubbed Linux.ProxyM that cybercriminals use to ensure their online anonymity has recently been updated to add mas spam sending capabilities to earn money.

The Linux.ProxyM Linux Trojan, initially discovered by the security firm in February this year, runs a SOCKS proxy server on an infected IoT device and is capable of detecting honeypots in order to hide from malware researchers.

Linux.ProxyM can operate on almost all Linux device, including routers, set-top boxes, and other equipment having the following architectures: x86, MIPS, PowerPC, MIPSEL, ARM, Motorola 68000, Superh and SPARC.

Here's How this Linux Trojan Works:

Once infected with Linux.ProxyM, the device connects to a command and control (C&C) server and downloads the addresses of two Internet nodes:

The first provides a list of logins and passwords

The second one is needed for the SOCKS proxy server to operate

The C&C server also sends a command containing an SMTP server address, the credentials used to access it, a list of email addresses, and a message template, which contains advertising for various adult-content sites.

A typical email sent using devices infected with this Trojan contains a message that reads:

Subject: Kendra asked if you like hipster girls
A new girl is waiting to meet you.
And she is a hottie!
Go here to see if you want to date this hottie
(Copy and paste the link to your browser)
http://whi*******today.com/
Check out sexy dating profiles
There are a LOT of hotties waiting to meet you if we are being honest!

On an average, each infected device sends out 400 of such emails per day.

Although the total number of devices infected with this Trojan is unknown, Doctor Web analysts believe the number changed over the months.

According to the Linux.ProxyM attacks launched during the past 30 days, the majority of infected devices is located in Brazil and the US, followed by Russia, India, Mexico, Italy, Turkey, Poland, France and Argentina.

"We can presume that the range of functions implemented by Linux Trojans will be expanded in the future," Dr Web researchers say.

"The Internet of things has long been a focal point for cybercriminals. The wide distribution of malicious Linux programs capable of infecting devices possessing various hardware architectures serves as proof of that."

The infamous mobile banking trojan that recently added ransomware features to steal sensitive data and lock user files at the same time has now been modified to steal credentials from Uber and other booking apps as well.

Security researchers at Kaspersky Lab have discovered a new variant of the Android banking Trojan called Faketoken that now has capabilities to detect and record an infected device's calls and display overlays on top of taxi booking apps to steal banking information.

Dubbed Faketoken.q, the new variant of mobile banking trojan is being distributed using bulk SMS messages as their attack vector, prompting users to download an image file that actually downloads the malware.

Malware Spy On Telephonic Conversations

Once downloaded, the malware installs the necessary modules and the main payload, which hides its shortcut icon and begins monitoring everything—from every calls to launched apps—that happens on the infected Android device.

When calls are made to or received from certain phone numbers on the victim's device, the malware begins to record those conversations and sends the recordings to the attacker's server.

Moreover, Faketoken.q also checks which apps the smartphone owner is using and when detects the launch of an app whose interface it can simulate, the Trojan immediately overlays the app with a fake user interface.

Malware Exploits Overlay Feature to Steal Credit Card Details

In order to achieve this, the Trojan uses the same standard Android feature that is being employed by a whole bunch of legitimate apps, such as Facebook Messenger, window managers, and other apps, to show screen overlays on top of all other apps.

The fake user interface prompts victims to enter his or her payment card data, including the bank’s verification code, which can later be used by attackers to initiate fraudulent transactions.

Faketoken.q is capable of overlaying a large number of mobile banking apps as well as miscellaneous applications, such as:

Android Pay

Google Play Store

Apps for paying traffic tickets

Apps for booking flights and hotel rooms

Apps for booking taxis

Since fraudsters require an SMS code sent by the bank to authorise a transaction, the malware steals incoming SMS message codes and forward them to the attackers command-and-control (C&C) server for a successful attack.

According to the researchers, Faketoken.q has been designed to target Russian-speaking users, as it uses the Russian language on the user interface.

Ways to Protect Against Such Android Banking Trojans

The easiest way to prevent yourself being a victim of such mobile banking Trojans is to avoid downloading apps via links provided in messages or emails, or any third-party app store.

You can also go to Settings → Security and make sure "Unknown sources" option is turned off in order to block installation of apps from unknown sources.

Most importantly, verify app permissions before installing apps, even if it is downloaded from official Google Play. If you find any app asking more than what it is meant for, just do not install it.

It's always a good idea to install an antivirus app from a reputed vendor that can detect and block such malware before it can infect your device, and always keep your system and apps up-to-date.

I am not kind of a funny person, but I love watching funny videos clips online, and this is one of the best things that people can do in their spare time.

But, beware if you have installed a funny video app from Google Play Store.

A security researcher has discovered a new variant of the infamous Android banking Trojan hiding in apps under different names, such as Funny Videos 2017, on Google Play Store.

Niels Croese, the security researcher at Securify B.V firm, analyzed the Funny Videos app that has 1,000 to 5,000 installs and found that the app acts like any of the regular video applications on Play Store, but in the background, it targets victims from banks around the world.

This newly discovered banking Trojan works like any other banking malware, but two things that makes it different from others are — its capability to target victims and use of DexProtector tool to obfuscate the app's code.

Dubbed BankBot, the banking trojan targets customers of more than 420 banks around the world, including Citibank, ING, and some new Dutch banks, like ABN, Rabobank, ASN, Regiobank, and Binck, among many others.

How Android Banking Trojan Works

In a nutshell, BankBot is mobile banking malware that looks like a simple app and once installed, allows users to watch funny videos, but in the background, the app can intercept SMS and display overlays to steal banking information.

Mobile banking trojan often disguises itself as a plugin app, like Flash, or an adult content app, but this app made its way to Google Play Store by disguising itself as any other regular Android app.

Google has removed this malicious app from its Play Store after receiving the report from the researcher, but this does not mean that more such apps do not exist there with different names.

"Another problem is that Google [Play Store] mainly relies on automated scanning without a full understanding of the current obfuscation vectors resulting in banking malware on the Google Play Store." researcher told The Hacker News.

Once downloaded, the app persistently requests administrative rights, and if granted, the banking malware can control everything that's happening on an infected smartphone.

The BankBot springs into action when the victim opens any of the mobile apps from a pre-configured list of 425 banking apps. A complete list of banks a BankBot variant is currently imitating can be found on the blog post published by the researcher.

Once one of the listed apps is opened, BankBot immediately displays an overlay, which is a page on the top of legitimate mobile banking app and tricks Android users entering their banking credentials into the overlay, just like a phishing attack.

This will not only sends your banking credentials to your bank’s servers but also sends your financial credentials to the server controlled by fraudsters.

This social engineering technique is often used by financially motivated criminals to deceive users into giving up their personal details and sensitive banking information to fraudsters.

How to protect yourself?

There are standard protection measures you need to follow to remain unaffected:

Install a good antivirus app that can detect and block such malware before it can infect your device. Always keep the app up-to-date.

Always stick to trusted sources, like Google play Store and the Apple App Store, and verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.

Do not download apps from third party source. Although in this case, the app is being distributed through the official Play Store, most often such malware are distributed via untrusted third-party app stores.

Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.

Be careful which apps you give administrative rights to. Admin rights are powerful and can give an app full control of your device.

Never click on links in SMS or MMS sent to your mobile phone. Even if the email looks legit, go directly to the website of origin and verify any possible updates.

A month after the FBI and Europol took down the GameOver Zeus botnet by seizing servers and disrupting the botnet’s operation, security researchers have unearthed a new variant of malware based explicitly on the same Gameover ZeuS that compromised users’ computers and collectively formed a massive botnet.

GAMEOVER ZEUS TROJAN

The massive botnet, essentially a collection of zombie computers, specifically was designed to steal banking passwords with the capability to perform Denial of Service (DoS) attacks on banks and other financial institutions in order to deny legitimate users access to the site, so that the thefts kept hidden from the users.

As a result of it, Gameover ZeuS’ developers have stolen more than $100 million from banks, businesses and consumers worldwide.

NEW GAMEOVER ZEUS TROJAN

On Thursday, security researchers at the security firm Malcovery came across a series of new spam campaigns that were distributing a piece of malware based on the Gameover Zeus code which is being distributed as an attachment to spam emails, masquerading as legitimate emails from financial institutions, including M&T Bank and NatWest.

"Today Malcovery's analysts identified a new trojan based heavily on the Gameover Zeus binary, the firm's blog post read. "It was distributed as the attachment to three spam email templates, utilizing the simplest method of infection through which this trojan is deployed."

ATTACK VECTOR

Malcovery has published a full disclosure and complete rundown of the botnet, which shows that all the malicious emails it sends to lure users contain a zip file with a .scr attachment inside. Once opened, the file uses to hack into zombie computers, and the threat is danger as many anti-virus solutions were not able to detect the malicious software.

“Once the attachment was opened and the malware payload executed, the malware began to make attempts to contact certain websites in accordance with a Domain Generation Algorithm (DGA). The goal of these contact attempts is to make contact with a server that can in turn provide instructions to the malware. Many sandboxes would have failed to launch the malware, as the presence of VMWare Tools will stop the malware from executing,” the analysis of the malware by Brendan Griffin and Gary Warner of Malcovery says.

“Other sandboxes would not have noticed the successful connection, because the malware took between 6 and 10 minutes to randomly generate the single domain name that was used successfully to launch the new Zeus trojan and download the bank information ‘webinject’ files from the server.”

This new Gameover Zeus botnet has a more robust implementation that makes it even more difficult to combat than the previous one.

As Malcovery writes, “this discovery indicates that the criminals responsible for GameOver’s distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history.”

STATEMENT BY DEPARTMENT OF JUSTICE

On Friday, the Department of Justice released a statement saying that this new Gameover Zeus botnet was not linked with the botnet that it previously targeted.

“The Justice Department reported that all or nearly all of the active computers infected with Gameover Zeus have been liberated from the criminals’ control and are now communicating exclusively with the substitute server established pursuant to court order,” the agency said.

“The Justice Department also reported that traffic data from the substitute server shows that remediation efforts by Internet service providers and victims have reduced the number of computers infected with Gameover Zeus by 31 percent since the disruption commenced.”

If US has banned its several major government departments, including NASA, Justice and Commerce Departments, from purchasing Chinese products and computer technology due to suspected backdoors, then they are not wrong at all.

A popular Chinese Android Smartphone comes pre-installed with a Trojan that could allow manufacturer to spy onto their users’ comprising their personal data and conversations without any restrictions and users knowledge.

GOOGLE PLAY STORE OR A SPYING APP?

According to the researchers at the German security firm G Data, the Star N9500 smartphone, a popular and cheap handset device in China, comes pre-installed with Uupay.D Trojan horse, disguising as a version of the Google Play Store.

The trojan camouflage as the Google Play Store, so it enables Chinese Company to secretly install malicious apps, which creates the whole spectrum of abuse.

STEALING WITHOUT RESTRICTIONS

The nasty Spyware runs in the background and has capability to steal personal information, copy users’ data, record calls automatically with unlimited time and send costly SMS to premium services, thereby sending all the stolen information to an anonymous server based in China.

The malware is also capable to activate the microphone on users’ smartphone at any time in order to turn users’ smartphone into a bugging device that allows hackers to hear anything you are saying near by the phone.

“The spy function is invisible to the user and cannot be deactivated,” reads the blog post published yesterday. “This means that online criminals have full access to the smartphone and all personal data. Logs that could make an access visible to the users are deleted directly.”

REMOVAL OF THE TROJAN NOT POSSIBLE

In addition, the malicious software allow preventing security updates from being downloaded and one can not disable the program. “The program also blocks the installation of security updates,” claimed G Data.

Moreover, it is not possible to uninstall the trojan because it is embedded in the firmware of the Star-phone device.

"Unfortunately, removing the Trojan is not possible as it is part of the device's firmware and apps that fall into this category cannot be deleted,” said Christian Geschkat, Product Manager at G Data. “This includes the fake Google Play Store app of the N9500."

CHEAP PRICE ATTRACTS USERS

The Star N9500 ​​is an affordable copy of the Samsung Galaxy S4, which can be easily found at various online retailers such as eBay and Amazon for 130 to 165 euros and is also equipped with a variety of accessories, such as a second battery, car charger adapter and a second cover.

But considering the high technological standard of device, the low price comes as a surprise and the security researchers at G DATA believe that it is the cheap price of the mobile device that has made possible by the subsequent selling of data records stolen from the smartphone owner.

HOW TO CHECK IF YOU’RE AFFECTED

We recommend you to download an up-to-date Mobile Anti-virus software and scan your device for the trojan and if found return the device back from where you purchased.

Avoid buying Chinese and cheap products in order to keep your privacy and personal information away from the hands of cyber criminals and prying eyes.

Zeus, a financially aimed Banking Trojan that comes in many different forms and flavors, is capable to steal users' online-banking credentials once installed. This time, an infamous Zeus Trojan has turned out to be a more sophisticated piece of malware that uses web-crawling action.

Instead of going after Banking credentials and performing malicious keystroke logging, a new variant of Zeus Trojan focuses on Software-as-a-service (SaaS) applications for the purpose of obtaining access to proprietary data or code.

The SaaS Security firm vendor Adallom, detected a targeted malware attack campaign against a Salesforce.com customer, which began as an attack on an employee's home computer. Adallom found that the new variant had web crawling capabilities that were used to grab sensitive business data from that customer's CRM instance.

The Security firm noticed the attack when they saw about 2GB of data been downloaded to the victim’s computer in less than 10 minutes. Furthermore, while Zeus usually hijacks the user session and performs wire transactions, this variant crawled the site and created a real time copy of the user’s Salesforce.com instance that contained all the information from the company account.

"This looks like a targeted attack against the company, cleverly targeting the employee home instead of the enterprise – thus bypassing the company controls. This was probably just the first step, using the Zeus Web inject capabilities they could have used the same tactics as in the banking sites attacks and ask the user to enter more information regarding his company credentials or send out messages in his name," says Ami Luttwak, co-founder and CTO of Adallom.

Zeus Trojan is one of the most popular family of banking Trojan. Also in 2012, the FBI warned us about the ‘GameOver’ banking Trojan, a variant of Zeus financial malware that spreads via phishing emails.

GameOver makes fraudulent transactions from your bank once installed in your system with the capability to conduct Distributed Denial of Service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site.

At the beginning of this year, Security researcher Gary Warner explains the behavior of the new variant of GameOver Zeus malware that uses Encryption to bypass perimeter security, in a blog post.

The attackers now bypassing traditional security measures and putting Zeus to use it against Salesforce.com and possibly other SaaS applications in a type of attack that Adallom refers to as "land-mining" and "rolladexing" to grab loads of business data and customer information.

The Adallom Labs team has yet to figure out exactly how these machines were infected and who are behind the cyber attack, so the matter is still being investigated by them.

The Flashback Trojan, the most sophisticated piece of malware that infected over 600,000 Apple's Macs systems back in April, 2012 is still alive and has infected about 22,000 machines recently, according to the researchers from Intego.

For a refresh, Flashback Trojan was first discovered in September 2011, basically a trojan horse that uses a social engineering to trick users into installing a malicious Flash player package.

Once installed, the Flashback malware injects a code into that web browser and other applications like Skype to harvest passwords and other information from those program's users. The Trojan targets a known vulnerability in Java on Mac OS X systems.

The system gets infected after the user redirects to a compromised website, where a malicious javascript code to load the exploit with Java applets. Then an executable file is saved on the local machine, which is used to download and run malicious code from a remote location.

It took Apple months to recognize the severity of this Mac malware threat, which first appeared in the Fall of 2011. However, Apple released the patch and updated the specific introduction about the operating system, “It doesn’t get PC viruses” to “It’s built to be safe.” on the Apple website. Intego said:

The Apple Product Security Response team took serious actions in 2012 to mitigate the threat using XProtect and other security updates (including a Malware Removal Tool), however, the botnet count was only divided by six according to our sinkhole.

Now in 2014, Intego researcher Abbati claims that Flashback botnet is still alive and is silently “adrift.”

Intego purchased some of the command and control (C&C) server domain names to monitor the Flashback threat that infected hundreds of thousands of Macs. Beginning January 2, we studied those domains and our sinkhole servers recorded all connections from Macs where Flashback is still active and trying to contact the C&C servers.

Below is a screenshot of the Apache Server log:

On April 2012, the Mac world was stunned to learn that the Flashback Trojan had infected millions of machines. The Flashback Ad-clicking the component tool that caused infected Macs to view sponsored links that had the potential to generate millions of dollars in fraudulent ad revenue. In addition, it has the capability to do much more, including sending spam, engaging in denial-of-service attacks, or logging passwords.

Cyber Criminal activity associated with the financial Trojan programs has increased rapidly during the past few months. However, the Tor-based architecture is the favorite one with online criminals, to hide their bots and the botnet's Command-and-Control real location from the security researchers.

This protects the location of a server as well as the identity of the owner in most cases. Still there are drawbacks preventing many criminals from hosting their servers within Tor. Due to the overlay and structure, Tor is slower and timeouts are possible. Massive botnet activity may influence the whole network, as seen with Mevade, and therefore let researchers spot them more easily.

ChewBaccamalware is not first that adopt Tor for anonymity, recently a new Zeus Trojan variant was captured in the wild that also based on Tor network and aimed at 64-bit systems.

Researchers did not mention that how they discovered Chewbacca, or the extent to which it has spread, but they note that the Malware is compiled with Free Pascal 2.7.1.

After execution of malware on the victim's windows system, it drops as spoolsv.exe in the startup folder and also drops a copy of Tor 0.2.3.25, which runs with a default listing on "localhost:9050". The Trojan then logs all keystrokes and sends the data back to the botnet controllers via Tor anonymity network.

The Malware also enumerates all running processes and reads their process memory. According to the researchers, The Command-and-Control server is developed using LAMP, that is based on Linux, Apache, MySQL and PHP.

Chewbacca is currently not offered in public (underground) forums, like other toolkits such as Zeus. Maybe this is in development or the malware is just privately used or shared.

The botnet's Command-and-Control server login page have an image of a character (ChewBacca) from the film series Star Wars.

We are expecting more complex and TOR-based botnets in the future. Stay tuned to +The Hacker News - Stay Safe.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

Russian anti-virus company Doctor Web reports that a new Mac OS X adware Trojan spreading itself via crafted movie trailer pages that prompt users to install a browser plugin. Basically, an adware is any software package which automatically renders advertisements in order to generate revenue for its author.

Dubbed as 'Trojan.Yontoo.1', Attackers have provided a number of alternative ways to spread the threat. The Trojan can also be downloaded as a media player, a video quality enhancement program or a download accelerator.

When victim visits the site, the dialogue only imitates the traditional plate and specially designed by hackers to enter a potential victim of misleading. After pressing the «Install the plug-in» victim is redirected to the site to download malware.

When launched, Trojan.Yontoo.1 displays a dialogue window that asks the user if they want to install Free Twit Tube. after the user presses ‘Continue’, instead of the promised program, the Trojan downloads.

While a user surfs the web, the plugin transmits information about the loaded pages to a remote server. In return, it gets a file that enables the Trojan to embed third-party code into pages visited by the user. This is how an apple.com page is displayed on an infected machine.

Russian anti-virus company Doctor Web is warning users about the malicious program which is helping attackers carry out mass spam mailings and allow attacker to use victim's PC as slave of his DDOS Army.

According to researchers from the company they have discovered a Trojan "Trojan.Proxy.23012" application that uses a rare method of distribution through peer networks.

"The botnet, consisting of Trojan.Proxy.23012-infected computers, is used by criminals to control proxy servers for the purpose of using them to send spam upon command". An example of such a spam message is shown in the screenshot below.

This Malware work as:

1.) Using peer to peer network it will download the executable file and that will be a encrypted malicious module. A very interesting algorithm used by the Trojan to download the infected computer other malware.

2.) After successfully decrypt it launches another module that reads the image in computer memory or other malicious applications.

3.) The program is saved to a user account as an executable file with a random name, and then modifies the registry Windows, to give yourself the ability to automatically run along with the operating system loads.

4.) Trojan is launched automatically at Windows’ startup. The malware also tries to disable the UAC. At the final stage of the installation process, the Trojan code is injected into explorer.exe.

After successfully downloading the DDoS-module generates up to eight independent threads that begins continuously sending POST-requests to the server from a stored list of Trojan downloader, and trying to connect with a number of servers via SMTP, and then sends them to the random data.

Total list contains 200 selected as a target for DDoS-attack sites, some of which are known resources such as a portal love.com, owned corporation America On-Line, sites of several major U.S. universities, as well as portals msn.com, netscape.com and others.

Two days before we (THN) Reported that FBI will shutdown Internet on 8th March, Title seems to be more Attention seeking , Why ? Well ! Our job is to aware you about the Internet Security. If we are looking for some extra attention from our Readers then its part of our small effort to make Internet more secure space for all.

Today we are going to Explain all about DNSChanger Trojan, its Impact on Internet users and the biggest challenge for FBI to resolve it, and How a non technical user can check and Restore its computer, Hope you will share this article with your Friends, Followers and On your Site to aware them about this Serial Internet Killer.

What is DNS (Domain Name System) ? is an Internet service that converts user-friendly domain names into the numerical Internet protocol (IP) addresses that computers use to talk to each other. When you enter a domain name, such as www.thehackernews.com, in your web browser address bar, your computer contacts DNS servers to determine the IP address for the website. Your computer then uses this IP address to locate and connect to the website. DNS servers are operated by your Internet service provider (ISP) and are included in your computer’s network configuration. DNS and DNS Servers are a critical component of your computer’s operating environment without them, you would not be able to access websites, send e-mail, or use any other Internet services.

What is DNSChanger ? a small file about 1.5 kilobytes , DNSChanger is a trojan that will change the infected system's Domain Name Server (DNS) settings, in order to divert traffic to unsolicited, and potentially illegal sites. This Trojan is designed to change the 'NameServer' Registry key value to a custom IP address. This IP address is usually encrypted in the body of a trojan.

When ? The DNSChanger malware was first discovered around 2007, and since this time has infected millions of computers, around 500,000 of them being in the U.S., and through these computers the criminals have reportedly pulled in around $14 million in stolen funds. The FBI has uncovered a network of rogue DNS servers and has taken steps to disable it.The FBI is also undertaking an effort to identify and notify victims who have been impacted by the DNSChanger malware.

Who are infected and Technical Info ? Both Windows and MacOS users are at risk for this infection because it exploits your browser, not your operating system.Here are some known hostile IP address pairs used by the DNS Changer malware:

64.28.176.1 - 64.28.191.254

67.210.0.1 - 67.210.15.254

77.67.83.1 - 77.67.83.254

85.255.112.1 - 85.255.127.254

93.188.160.1 - 93.188.167.254

213.109.64.1 - 213.109.79.254

Why its not easy Remove this Trojan ? One consequence of disabling the rogue DNS network is that victims who rely on the rogue DNS network for DNS service could lose access to DNS services, So This Process will start on March 8 by FBI.

Why 8th March 2012 ? After the take down of the DNSChange Botnet, in November 2011, the FBI obtained a court order allowing the FBI to set up a temporary DNSChanger Command & Control network. The court order expires on March 8th, 2012. Unless the FBI obtains a new court order allowing them to continue operating the temporary network, the network will be turned off. Resulting in millions of computers, world-wide, no longer being able to access the Internet.

How to check manually that your System is Infected or Not ? The best way to determine if your computer has been affected by DNSChanger is to have them evaluated by a computer professional.

Avira cooperated also with the German Federal Office for Information Security (BSI) and published the tool also on the special website created to check if the DNS requests are made to the right places: www.DNS-OK.de. Besides the website, users can also OK DNS, the DNS-repair tool from the Avira website to download here.

After 8th March all computer will be Secured ? According to FBI, It is quite possible that computers infected with this malware may also be infected with other malware. The establishment of these clean DNS servers does not guarantee that the computers are safe from other malware. The main intent is to ensure users do not lose DNS service.

Rapidly growing, insecure internet-connected devices are becoming albatross around the necks of individuals and organizations with malware authors routinely hacking them to form botnets that can be further used as weapons in DDoS and other cyber attacks.

But now finding malicious servers, hosted by attackers, that control botnet of infected machines gets a bit easier. Thanks to Shodan and Recorded Future.

Shodan and Recorded Future have teamed up and launched Malware Hunter – a crawler that scans the Internet regularly to identify botnet command and control (C&C) servers for various malware and botnets.

Malware Hunter results have been integrated into Shodan – a search engine designed to gather and list information about all types of Internet-connected devices and systems.

How Does Malware Hunter Identify a C&C Server?

You might be wondering how Malware Hunter will get to know which IP address is being used to host a malicious C&C server.

For this, Shodan has deployed specialized crawlers, to scan the whole Internet to look for computers and devices configured to function as a botnet C&C server by pretending to be infected computer that is reporting back to the command and control server.

The crawler effectively reports back to every IP address on the Web as if the target IP is a C&C and if it gets a positive response, then it knows the IP is a malicious C&C server.

"RATs return specific responses (strings) when a proper request is presented on the RAT controller's listener port," according to a 15-page report [PDF] published by Recorded Future.

"In some cases, even a basic TCP three-way handshake is sufficient to elicit a RAT controller response. The unique response is a fingerprint indicating that a RAT controller (control panel) is running on the computer in question."

Malware Hunter Already Identified Over 5,700 Malicious C&C Servers

We gave it a try and found impressive results, briefly mentioned below:

Malware Hunter has already identified over 5,700 command-and-control servers around the World.

Top 3 Countries hosting command and control servers include United States (72%), Hong Kong (12%) and China (5.2%).

Five popular Remote Access Trojan (RAT) that are widely being used include Gh0st RAT Trojan (93.5%), DarkComet trojan (3.7%), along with a few servers belong to njRAT Trojan, ZeroAccess Trojan, and XtremeRAT Trojan.

Shodan is also able to identify C&C servers for Black Shades, Poison Ivy, and Net Bus.

To see results, all you have to do is search for "category:malware" without quotes on Shodan website.

Malware Hunter aims at making it easier for security researchers to identify newly hosted C&C servers, even before having access to respective malware samples.

This intelligence gathering would also help anti-virus vendors identify undetectable malware and prevent it from sending your stolen data back to attacker's command-and-control servers.

If you are a regular reader of The Hacker News, you might be aware of an ongoing cyber attack — detected in the wild by McAfee and FireEye — that silently installs malware on fully-patched computers by exploiting an unpatched Microsoft Word vulnerability in all current versions of Microsoft Office.

Now, according to security firm Proofpoint, the operators of the Dridex malware started exploiting the unpatched Microsoft Word vulnerability to spread a version of their infamous Dridex banking trojan.

Dridex is currently one of the most dangerous banking trojans on the Internet that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating PCs and stealing victim's online banking credentials and financial data.

The Dridex actors usually relied on macro-laden Word files to distribute the malware through spam messages or emails.

However, this is the first time when researchers found the Dridex operators using an unpatched zero-day flaw in Microsoft Word for distributing their banking trojan.

According to a blog post published Monday night by Proofpoint, the latest Dridex spam campaign is delivering Word documents weaponized with this zero-day to millions of recipients across several organizations, including banks primarily located in Australia.

"Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "[device]@[recipient's domain]." [Device] may be "copier", "documents", "noreply", "no-reply", or "scanner"," Proofpoint researchers say.

"The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits...the spoofed email domains and the common practice of emailing digitized versions of documents make the lures fairly convincing."

As we reported on Saturday, this zero-day flaw is severe because it gives hackers power to bypass most exploit mitigations developed by Microsoft, and unlike past Word exploits seen in the wild, it doesn't require victims to enable Macros.

Moreover, given the danger of Dridex – also known as Bugat and Cridex – banking trojan, people are strongly advised not to open Word documents attached to an email from anyone, even if you know the sender until Microsoft releases a patch.

Microsoft knew of the flaw very long ago

According to researchers at McAfee and FireEye, Microsoft has known of the remote code flaw since January and could release a patch for the vulnerability today, as part of its regular Patch Tuesday routine.

However, an independent security researcher Ryan Hanson claimed that he discovered this 0-day, along with the two other flaws, in July and reported it to Microsoft in October 2016.

"The initial discovery was in July, which was followed up by additional research and the identification of a protected view bypass vulnerability. Those two bugs and an additional Outlook bug were submitted to MS in October," Hanson told The Hacker News.

"There may very well be additional HTA related vectors in Office, but based on the detail provided by McAfee, the vulnerability they've identified functions exactly like the one I disclosed. The only difference I see is the VBScript payload, since my payload simply executed calc.exe."

If the claims made by Hanson is true and his reported vulnerability is the same being used in the wild to spread Dridex, Microsoft left its customers vulnerable to the attacks even after being known of the critical flaw for quite long.

Enable 'Protected View' in Microsoft Office to Prevent Attack

Since the attack does not work when a malicious document is viewed in Office Protected View, users are advised to enable this feature in order to view any Office documents.

For more technical details about the latest Dridex malware campaign exploiting the unpatched Microsoft Word flaw, you can head on to the blog post published by Proofpoint.

Security researchers have discovered a new variant of Dridex – one of the most nefarious banking Trojans actively targeting financial sector – with a new, sophisticated code injection technique and evasive capabilities called "AtomBombing."

On Tuesday, Magal Baz, security researcher at Trusteer IBM disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities.

Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data.

However, by including AtomBombing capabilities, Dridex becomes the first ever malware sample to utilize such sophisticated code injection technique to evade detection.

What is "AtomBombing" Technique?

Code injection techniques by previous versions of Dridex Trojan have become too common and easy to spot by antivirus and other security solutions.

But since the AtomBombing technique is a different approach to code injection that does not rely on easy-to-detect API calls used by old Dridex versions, leveraging AtomBombing in the latest Dridex version made it difficult for antiviruses to detect.

Initially spotted in October by Tal Liberman from enSilo security firm, AtomBombing is a code injection technique that could allow attackers to inject malicious code on every version of Microsoft's Windows OS, even Windows 10, in a manner that no existing anti-malware tools can detect.

AtomBombing does not exploit any vulnerability but abuses the system-level Atom Tables, a feature of Windows that allows applications to store information on strings, objects, and other types of data to access on a regular basis.

An attacker can write malicious code into an atom table and trick legitimate applications into retrieving it from the table to execute malicious actions on nearly any Windows operating system released in the past 16 years.

Dridex Version 4 Discovered In the Wild

According to IBM X-Force researchers, the Dridex banking Trojan recently underwent a major version upgrade, now supporting AtomBombing.

But the malware author only went halfway which makes Dridex v4 different from other AtomBombing attacks — the attackers used "the AtomBombing technique for the writing of the payload, then used a different method to achieve execution permissions, and for the execution itself."

"The flow differs from the one described in the AtomBombing technique. To get the payload into an executable memory space, Dridex simply calls NtProtectVirtualMemory from the injecting process to change the memory where the payload is already written into RWX," X-Force researchers said.

Since using an APC call to the payload would have been very suspicious that could be detected and stopped, Dridex v4 uses "the same GlobalGetAtomW method to patch GlobalGetAtomA, hooking it to execute the payload."

Researchers said the new Dridex v4 is already in use in active campaigns against European banks, and it's only a matter of time before hackers begin targeting American financial institutions as well.

Antivirus software and security products can now implement their systems to track and prevent Dridex v4 attacks since the IBM's findings are available for all.

For a more detailed explanation and technical working of the latest version of Dridex Trojan, you can head on to IBM's blog post.

"The Interview", the controversial North Korean-baiting film which appeared to be the root cause of the cyber mishap occurred at Sony Pictures Entertainment that threatened terror attack at theaters showing the movie, now threatens to expose users of Android phones to a malware attack.

Since its release, everyone is talking about "The Interview" — the Seth Rogen and James Franco-starring comedy centered around a TV host and his producer assassinating North Korean dictator Kim Jong Un. Because cybercriminals are known to take advantage of major events where there is a high level of public interest, The Interview became their target.

In a joint investigation, Security researchers of McAfee and Technische Universität Darmstadt and the Center for Advanced Security Research Darmstadt (CASED) has discovered an Android app claiming to download 'The Interview' comedy on their smartphone devices actually infects users’ devices with banking trojan in order to steal their financial information.

The Banking Trojan is appeared to be hosted on Amazon Web Services and is delivered via a torrent file. Researchers have identified that the malware campaign is targeting Android users in South Korea and is active from the last few days. The campaign is attempting to exploit the popularity of The Interview movie that triggered tension over its release on Christmas.

The malware trojan, detected by the researchers at McAfee as Android/Badaccents, targets customers of some Korean banks as well as an international bank, Citi Bank. According to researchers, the Trojan is selective about its victims and avoids infection of devices sold in North Korea.

"One aspect which will probably raise eyebrows, is that the malware code includes a routine to check the device’s manufacturing information," Graham Cluley wrote on his blog. "If it is set to either 삼지연 (Samjiyon) or 아리랑 (Arirang), smartphone manufacturers whose Android devices are sold in North Korea, the malware will not infect, and instead display a message that an attempt to connect to the server failed."

The researchers' findings cited by Cluley revealed that at least 20,000 devices have been infected and that the information exfiltrated from the devices is uploaded to a Chinese mail server.

Security researchers at McAfee has notified Amazon Web Security about the malware hosting issue so that the Amazon-hosted files can be removed and prevent further infections. However, other online storage services could be used by cybercriminals for carrying out the campaign.

Usually cybercriminals use third party Android app to distribute trojan malware in order to infect smartphone users, but this is the first time when cyber crooks have chosen torrent websites to deliver the Trojan, probably because "The Interview" is already at the top of search results in Korea and most of the countries.

A team of researchers from the U.S. and Europe has developed a Hardware Trojan, which is an undetectable to many techniques, raising the question on need of proper hardware qualification.

They released a paper on stealthy Dopant-Level Hardware Trojans, showing how integrated circuits used in computers, military equipment and other critical systems can be maliciously compromised during the manufacturing process.

"In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors." states the paper abstract.

The Scientists devised two such backdoors they said adversaries could feasibly build into processors to surreptitiously bypass cryptographic protections provided by the computer running the chips. Instead of adding additional circuitry to the target design, the researchers inserted their hardware Trojans by changing the dopant polarity of existing transistors.

Doping is a process for modifying the electrical properties of silicon by introducing tiny impurities like phosphorous, boron and gallium, into the crystal. By switching the doping on a few transistors, parts of the integrated circuit no longer work as they should. Because the changes happen at the atomic level, the stuff is hard to detect. Their modifications fooled a number of common Trojan testing methods that included optical inspection and checking against golden chips.

“Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against ‘golden chips,’”

Hardware trojans have been the subject of considerable research since at least 2005 when the U.S. Department of Defense publicly expressed concerns over the military's reliance on integrated circuits manufactured abroad.

The exploitation of a hardware backdoor for cyber espionage purpose has always been the subject of heated debate, intelligence experts have accused in the past Chinese companies to have the ability to remotely access to the communication equipments sold in the United States and Western Countries thanks this kind of attacks.

The paper details how compromise the Intel Ivy Bridge processors pulling off a side channel attack that leaked secret keys from the hardware.

In the attack of the Ivy Bridge, researchers were able to get their Trojan onto the processor at the sub-transistor level: “Our Trojan is capable of reducing the security of the produced random number from 128 bits to n bits, where n can be chosen,”

“Despite these changes, the modified Trojan RNG passes not only the Built-In-Self-Test (BIST) but also generates random numbers that pass the NIST test suite for random numbers.”

The possibility to infiltrate a supply chain with a hardware trojan is a target for any governments, the repercussion could be critical considering the penetration of technology in military and commercial sectors.

Last Snowden's revelations on the NSA surveillance activities evidenced the effort spent by US intelligence with major chipmakers for the introduction of backdoors into hardware sold to foreign targets.